The Chinese "Ghost" Backdoor in Global Corporate Networks for Over a Year. What is China Preparing?
How Chinese BRICKSTORM made expensive security meaningless.
How Chinese BRICKSTORM made expensive security meaningless.
According to Google Threat Intelligence, a China-linked espionage group known as UNC5221 has carried out a series of successful intrusions into corporate networks since March of this year, exploiting previously unknown vulnerabilities in Ivanti products. These attacks resulted in the deployment of backdoors that allowed the attackers to maintain undetected access to victim infrastructure for an average of 393 days.
Specialists have attributed these actions to group UNC5221 and other Chinese cyber-espionage formations closely associated with it. According to the report, UNC5221 itself began actively exploiting vulnerabilities in Ivanti devices as early as 2023. Google emphasizes that this group is not linked to Silk Typhoon (formerly Hafnium), which is suspected of hacking the U.S. Treasury Department in December.
In Google's classification, "UNC" stands for "Uncategorized"—meaning it is not classified as financially motivated (FIN) or as a state-sponsored APT group, although UNC5221's origin clearly points to state backing.
Since the spring of 2025, Mandiant experts have been responding to incidents linked to this group across various sectors, from law firms to SaaS providers and business process outsourcing companies. In most cases, the attackers used a specially designed backdoor called BRICKSTORM, implanted on devices that do not support traditional detection tools (EDR). This allowed the attackers to remain stealthy: the organizations' security systems simply did not record the malicious activity.
To help identify infections, Google has published a free scanning tool that does not require installation, uses YARA, and is suitable for Linux and BSD-based systems. It searches for unique signatures and code patterns characteristic of BRICKSTORM. Mandiant representatives emphasize that the number of infected entities could be significant once organizations begin mass scanning their devices; the fallout from this campaign is expected to unfold over the next one to two years.
In at least one case, the hackers gained access via a zero-day vulnerability in Ivanti Connect Secure. Although Google does not specify which particular vulnerability is referred to, researchers have previously linked UNC5221 to the active exploitation of CVE-2023-46805 and CVE-2024-21887—both of which were only publicly disclosed in January 2024.
After breaching the network, the attackers installed BRICKSTORM—malware written in Go and equipped with SOCKS proxy functionality. While a Windows version is mentioned, Mandiant experts have not directly observed it; information about this modification is indirect. The malware was actually found on Linux and BSD devices, including network appliances from various manufacturers.
UNC5221 regularly attacks VMware vCenter servers and ESXi hosts, often starting by infecting perimeter devices and then using stolen credentials to move deeper into the network. In one attack, BRICKSTORM was implanted into a vCenter server after the incident investigation had begun, indicating the adversary's ability to adapt in real-time and monitor the defenders' actions. The malware was also modified: it used the Garble obfuscation tool, custom wssoft libraries, and in one instance, a timer that delayed activity until a specified date.
Furthermore, in several cases, the hackers used additional malware—BRICKSTEAL—a malicious Java Servlet filter for Apache Tomcat that operates as part of the vCenter web interface. It intercepts HTTP Basic Auth headers, extracting logins and passwords, including domain credentials if the organization uses Active Directory. While installing such a filter typically requires configuration changes and a server restart, in this case the attackers used a special dropper that injected the code into memory without a restart, further enhancing stealth.
As part of the attacks, the perpetrators also gained access to the mailboxes of key employees—developers, system administrators, and other specialists whose work might be of interest to Chinese economic or intelligence interests. They did this using Microsoft Entra ID Enterprise Applications permissions like mail.read or full_access_as_app, which allow reading any mail within the organization.
Data exfiltration from compromised systems occurred through BRICKSTORM's own proxy mechanism—the attackers created tunnels and interacted directly with the victim's web applications. In some incidents, the attackers manually deleted samples of the malware, and its presence was only revealed by analyzing backups—which preserved traces of BRICKSTORM activity.
Mandiant emphasizes that the group does not reuse C2 domains and does not even duplicate malware samples, making traditional Indicators of Compromise (IOCs) practically useless. Instead, the company recommends a behavioral approach based on TTPs (Tactics, Techniques, and Procedures) and provides a detailed 9-step methodology for searching for signs of attack.
Organizations are advised to update their inventory of devices, including perimeter appliances, and analyze network logs. Signs of attack include internet connections from management IP addresses, access attempts to Windows systems, suspicious activity in Microsoft 365, and unauthorized operations with VMware. Other indicators listed include cloning virtual machines, creating local user accounts, enabling SSH on the vSphere platform, and launching unauthorized VMs.
